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Abstract 

We present an algorithm for solving the discrete logarithm problem in Jacobians 
of families of plane curves whose degrees in X and Y are low with respect to their 
genera. The finite base fields are arbitrary, but their sizes should not grow too 
fast compared to the genus. For such families, the group structure and discrete 
logarithms can be computed in subexponcntial time of Lqs(l/3, 0(1))- The runtime 
bounds rely on heuristics similar to the ones used in the number field sieve or the 
fvmction field sieve. 



1 Introduction 

The discrete logarithm problem (DLP) is the keystone for the security of cryptosystems 
based on ehiptic curves and on Jacobian groups of more general algebraic curves. While 
to date, elliptic curves provide a very broad range of groups for which no algorithm 
improves over the generic ones for attacking the DLP, the same does not hold for higher 
genus curves. A variety of algorithms exists to tackle the DLP on Jacobians of curves, 
depending on whether the problem is being considered with the field size or the genus 
growing to infinity, or possibly both. For a general overview on algorithms for the DLP, 
see the survey [12j. The outcome is that for implementing cryptographic primitives, 
curves of genus 3 and higher have clear practical disadvantages over curves of genus 2 
and elliptic curves. Yet, studying the DLP on these curves is important in particular 
because of the Weil descent strategy, which reduces the DLP on elliptic curves over 
extension fields to the DLP in the Jacobian of a curve of higher genus. Therefore, besides 
the better understanding of the general picture that one may obtain by studying large 
genus curves, an algorithm for solving the DLP in the large genus case may eventually 
become a threat for some elliptic curve cryptosystems. 

The following is a general strategy for solving the DLP in groups enjoying in partic- 
ular a suitable notion of size (for more details on an appropriate model, see |T3])- A first 
phase consists in collecting relations involving elements of a chosen factor base, which 
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is a subset of the group under consideration formed by elements of relatively small size. 
Thereafter, the logarithms of these elements are deduced by linear algebra. Depending 
on the exact algorithm employed, the output of this computation either gives the log- 
arithm of a chosen set of group elements, or in more advanced algorithms, the ability 
to compute the logarithms of arbitrary elements at a relatively low cost. The resulting 
complexity is usually of sub exponential nature, namely of the form 



for a £ (0, 1) and c > 0, where N is the group size. 

Quite early on, it appeared that this approach could be adapted to a family of 
hyperelliptic curves over a fixed base field ¥q and of genus g growing to infinity. In 
this case the algorithm from [1] solves the DLP in sub exponential time Lqg{l/2,0{1)). 
This complexity is heuristic. It is established under the assumption that a given family 
of polynomials behaves similarly to random polynomials of the same degree. Later 
on, rigorous results for smoothness of divisors have led to proofs of the sub exponential 
running time, and the algorithm has been generalised to further classes of curves flSj 
Ell [HI US El [19] . These results imply that given a family of algebraic curves of growing 
genus g over a base field ¥g with logg bounded by some polynomial in g, solving the 
DLP is possible in proven sub exponential time Lgg{l/2,0{1)). 

We briefly mention, at the opposite end of the spectrum, the DLP on a family of 
curves of fixed genus over a base field ¥q with q growing to infinity. In this case, analogous 
algorithms have a complexity which is exponential in logg \16\ [9l [10]. This case is not 
studied here. 

Subexponential algorithms are known in other common contexts, namely integer 
factorisation and computation of discrete logarithms in finite fields. Proven algorithms 
of complexity L(l/2) exist, however the most efficient algorithms for these problems are 
the number field sieve [UlITj and the function field sieve [2] and their derivatives, which 
achieve a heuristic complexity of L(l/3). For a long time, it has been an open problem 
to decide whether such a complexity can be achieved for solving the discrete logarithm 
problem in Jacobian groups of algebraic curves. 

We answer this question positively for a relatively large class of curves and present a 
probabilistic algorithm of heuristic subexponential complexity Lqg{l/3, 0(1)) for solving 
the discrete logarithm problem in Jacobians of curves of genus g over finite fields ¥q. 
Here, we consider families of curves Ci{X, Y) of genus gi over finite fields ¥q.. We require 
9i ^ (logQj)^, and the degrees in X and Y must stay within the non-empty interval 
with end points ~ gf and 9i~°'} where 1/3 < a < 2/3. Our constraint on the 
curve equation is the key for producing principal divisors of small degree, in a manner 
analogous to the function field sieve. The computation of individual logarithms, once 
the relation collection and linear algebra steps have been completed, is performed using 
a special-Q descent strategy. 

A previous related result appeared in [H]; however, this earlier version has been con- 
siderably improved. First, the class of curves to which our algorithm applies has been 
expanded. Furthermore the computation of discrete logarithms no longer has complex- 
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ity L{l/2i + e, 0(1)), but rather L(l/3, 0(1)). This raises the question of determining 
exphcitly the constant represented by 0(1). Assuming the family of curves satisfies 
degxCi ■ degyCj < ngi, the exact complexity of our algorithm is L(l/3, (64k/9)-^/^), 
which is a familiar complexity in the context of the number field sieve. We mention that 
subsequently to [14J, Diem has presented at the 10th Workshop on Elliptic Curve Cryp- 
tography (ECC 2006) an algorithm based on similar ideas [_8j; he argued that computing 
discrete logarithms for non-singular plane curves can be solved in L(l/3, (64/9)1/3 + e) 
for any e > 0. We show that the same complexity is also achieved using a slight modifi- 
cation of our algorithm and that it is valid for a class of curves strictly including those 
handled by Diem's algorithm. 

The article is organised as follows. Section [2] gives an informal presentation of the 
algorithm. Section [3] provides the necessary tools for the precise statement and analysis 
of the algorithm, which is given in Sections H] and [5l Some corner and special cases are 
studied in Section [6l 

2 Main idea 

2.1 Relation collection 

Before describing our algorithm with all its technical details on the most general class of 
curves, we sketch in this section the main idea yielding a complexity of Lqg (1/3, 0(1)) for 
a restricted class of curves. We provide a simplified analysis by hand waving; Section [3] 
is devoted to a more precise description of the heuristics used and of the smoothness 
properties needed for the analysis. 

Let Fq be a fixed finite field. We consider a family of Cnd curves over Fg, that is, 
curves of the form 

C : Y"" + X'^ + f{X,Y) 

without affine singularities such that gcd(n, d) = 1 and any monomial X'^Y^ occurring 
in / satisfies ni + dj < nd (see [23]). Such a curve has genus g = ilLiiK^til) ; assume 
that g tends to infinity, and that n k, g"^ and d ~ 5^"" for some a G [i; §] the 
symbol ~, meaning "about the same size" with no precise definition). The non-singular 
model of a Cnd curve has a unique point at infinity, which is F^-rational; so there is a 
natural bijection between degree zero divisors and affine divisors, and in the following, 
we shall only be concerned with effective affine divisors. Choose as factor base J- the 
about -Lg9(l/3, 0(1)) prime divisors of smallest degree, that is, of degree bounded by 
some S G N with B ^ log, Lgs (1/3, 0(1)). 

To obtain relations, consider functions ip{X,Y) £ ¥q[X,Y] such that 

k = degy (f w 5"~i/3 and 6 = degx f ^ ff^^^"". 

Whenever the affine part div{ip) of the divisor of ip is smooth with respect to the factor 
base, it yields a relation, and we have to estimate the probability of this event. 

Let N be the norm of the function field extension ¥g{C) = ¥q{X)[Y]/{Y'^ + X'^ + 
f{X,Y)) relative to ¥q{X). For a given function 99 on the curve, if divip contains only 
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places of inertia degree 1, then divip is S-smooth if and only if the norm of (/? is. We 
have 

deg;,N(^) = degResy(v^(X,y),y" + X'^ + /(X,y)), 

< degx ^ degy C + degy ip degx C = n6 + kd ^ g^^^ ■ 

Heuristically, we assume that the norm behaves like a random polynomial of degree about 
g^^^ . Then it is i?-smooth with probability l/I/qff(l/3, 0(1)). (This is the same theorem 
as the one stating that a random polynomial of degree g is log^ Lq9(l/2, 0(l))-smooth 
with probability l/Lqs(l/2, 0(1)), cf., for instance, Theorem 2.1 of 0.) Equivalently, we 
may assume heuristically that <l\v{ip) behaves like a random effective divisor of the same 
degree degjj^ N((/3). Then the standard results on arithmetic semigroups (cf. Section [3]) 
yield again that div((/9) is smooth with probability l/Lgs(l/3, 0(1)). 

So the expected time for obtaining \!F\ = Lqa{l/2>^0{1)) relations is Lqa{l/2>,0{1)). 
With the same complexity, one can solve a linear system and obtain the discrete loga- 
rithms of the elements of J-. If the group structure was not known in advance, it is also 
possible to deduce it from a Smith normal form computation, which lies again in the 
same complexity class. 

It remains to show that the search space is sufficiently large to yield the required 
-Lq9(l/3, 0(1)) relations, or otherwise said, that the number of candidates for ip is at 
least Lg9 (1/3, 0(1)). The number of ip is about 

q^' « q^'" < e{^/^/^(log.)^/^)(log{.log,))^/3 ^ ^(1/3,0(1)). 

The previous inequality in the place of the desired equality shows that a more rigorous 
analysis requires a careful handling of the log q factors in the exponent; in particular, k 
or 5 has to be slightly increased. Moreover, the constant exponent in the sub exponential 
function needs to be taken into account. 

2.2 Individual logarithms 

After Section [2. H the discrete logarithms of the elements of the factor base are known. 
Now, to solve a general discrete logarithm problem, we need to be able to rewrite any 
element in terms of elements of J-'. The classical tool for doing so is the special-Q descent 
strategy as introduced by Coppersmith [6]. 

The input is a place Q = div(n(X),y — v{X)), for which the discrete logarithm 
is sought. While not all elements can be written in that form, most of them can; so 
without loss of generality, by randomising the input, we may assume the special form. 
The degree of Q is degu < g, and degv < degu. 

One step of the special-Q descent rewrites a place of degree ~ g'^/'^+'^ for some 
r G [0,2/3] as a sum of places of degrees bounded by g^l'^^'^l'^. Thus, the place Q of 
degree at most g is first rewritten as a sum of places of degrees bounded by (p'l'^ ■ Each 
of them is then rewritten as a sum of places of degrees bounded by 5^^^, and so on. We 
end up with a tree of places, whose leaves have a degree as close to g^l"^ as we wish. 
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Therefore, pushing the special-Q descent far enough, we can hope to obtain leaves that 
are in T ^ so that the discrete logarithms of all the elements of the tree, including that 
of Q, can be deduced. 

Let us now sketch how one step of the special-Q descent works in our case: We 
consider a place Q = div(n(X),y — with degw < degu ~ g^l'^+'^ for some 

T G [0, 2/3]. The polynomial functions on the curve having a zero at Q and of degree in 
Y bounded by A; ~ ^a-i/3+r/2 foj^j^ Fq[X]-lattice generated by 

[u{X),Y -v(X),Y'^ - [v(Xf mod u{X)),...,Y^ - [v{Xf mod . 

We consider Fg[X]-linear combinations of these basis elements that have a small degree 
in X: Allowing coefficients in the combination to have a degree up to ~ g|2/3-a+-r/2^ 
the corresponding functions have a degree in X bounded by ~ g,2/3-a+T/2_ Among the 
~ qS^^^^"^ such functions, we limit ourselves to a sieving space of size about q^""^^ . 

The degree of the affine part of the divisor of each function in the sieving space is 
bounded by n degx ^ + ddeg g^l^+^'^. Since there are about of them, one 

can expect to find one whose divisor is ~ g^/'^^'^/^-smooth (apart from the place Q that 
is present in the divisor by construction) . We have then rewritten Q as a sum of divisors 
of degree at most ~ (^1/3+^/2 time L(l/3). 

In this description, we have been vague with respect to the degree bounds, and it is 
necessary to be more accurate, especially when r is getting close to 0. This motivates 
the following section, in which we examine in more detail the smoothness results and 
heuristics that are needed for the algorithm. 

3 Smoothness 

The algorithm presented in this article relies on finding relations as smooth divisors of 
random polynomial functions of low degree. As with other algorithms of this kind, for 
instance [1], its running time analysis will be heuristic. The main heuristic assumption is 
that certain principal divisors are as likely to be smooth as random divisors of the same 
degree, for which the desired smoothness probabilities can be proved. In this section we 
collect the needed smoothness results, before discussing our heuristics in more detail. 
We suppose that all curves are given by absolutely irreducible plane affine models 

C : F{X,Y) 

with F G F|j[X, y], where Fg is the exact constant field of the function field of C. 
Arithmetic of elements of the Jacobian group of such curves is detailed in [18J. In 
particular, operations such as splitting a divisor into a sum of places can be performed 
in polynomial time. 

Essentially, we are interested in a factor base T consisting of the places of degree 
bounded by some parameter (a few technical modifications are necessary and will be 
discussed later in this section). Then an effective divisor of degree v is called .F-smooth 
or ^-smooth if it is composed only of places in T. The probability of /^-smoothness is 
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ruled by the usual results on smoothness probabilities in arithmetic semigroups such as 
the integers or polynomials over a finite field, cf. [21] . 

Unfortunately, most results in the literature are stated for a fixed semigroup and give 
asymptotics for /i and v tending to infinity, whereas we need information that is uniform 
over an infinite family of curves. Notice, however, the purely combinatorial nature of 
the question: How many objects of size up to v can be built from irreducible blocks of 
size up to /z? The answer depends only on the number of building blocks of any given 
size, and it turns out that its main term is the same uniformly over all semigroups under 
consideration. This can be exploited to prove combinatorially, in the same spirit as for 
hyperelliptic curves in ^S]) tlie following general result, which is Theorem 13 of [19j : 

Theorem 1 (Hefi) Let < e < 1, 7 = and v, [i and u = such that 3logy{lAg + 
4) < < and u > 2\og{g + 1). Denote by ipli/jfj,) the number of ^-smooth effective 
divisors of degree v. Then for fj, and u sufficiently large (with an explicit bound depending 
only on e, hut not on q or g), 

> = g-nlog«(l+o(l)) 

Denote by 

for < a < 1 and c > the subexponential function with respect to glogq, and let 

^ log (7 

The parameter g\ogq will be the input size for the class of curves we consider; more 
intrinsically, this is the logarithmic size of the group in which the discrete logarithm 
problem is defined. 

Proposition 2 For some < /3 < a < 1 and c, d > 0, let 

v= [log^L(a,c)J = [c5°7W^-"J and^= [log^ d)] = [d/TW^"^]. 

Assume that there is a constant p > such that g > (logq)^. Then for g sufficiently 
large, 

^>^(«-A->-/3) + o(l)), 

where o(l) is a function that is bounded in absolute value by a constant (depending on 
a, (3, c, d and p) times ■ 

Proof. One computes 



^ ^ c / 5 log g ^ 



p d Vlog(5log9) 
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(the inequality being due only to the rounding of v and 

logu = (a - /?) log(5rlogg)(l + o(l)) 

and 

log logu 

= o 1 > 

log u 

with both 0(1) terms being of the form stipulated in the proposition. Applying Theo- 
rem [T] yields the desired result. Its prerequisites are satisfied since 

log/i /Jlogfir- (1-/3) log log g 

lim sup 1 = lim sup — — — 

logz/ a log 5 — (1 — a) log log g 

^ /31og5 

< lim sup 73 

a log 5 — log g 



a- — 

p 



because of the definition of p; then e is taken to be any value strictly larger than e' and 
less than 1. □ 

The choice of fi shall insure that the factor base size, that is about q^, becomes 
subexponential. But the necessary rounding of fi, which may increase by a factor of 
almost q, may result in more than subexponentially many elements in the factor base 
when q grows too fast compared to g. 

Proposition 3 Let < /? < 1 and p > If g > [logqY, then q = L(/?, o(l)) for 

g ^ 00. 



glogg _ g(logq)l '^(logg)''^ 



Proof. One computes 

Since g > (logq)^ with p > one gets (logg)^~^ < g^ , so that q < e^^^"^^'''^. 

Compared to -L(/?, 1), the term (log(5logg'))^~^ is missing in the exponent; since this 
term tends to infinity, the result follows. □ 

Corollary 4 Let < f3 < I, p > and p > and g > (logg)^. Then Proposi- 

tion\^ remains valid for an arbitrary rounding of p and v, and q^ = L{(3, d + o(l)). 

Proof. Let k be any integer. By Proposition [3l 



u + k 



^ogq{q^L{a,c)) = [log, L(a, c + o(l))J 



which shows that v may be replaced by z^ + Zc in Proposition [2j The same argumentation 
holds for p. □ 

We need to deal with a few technicalities related to the potential singularities and 
the places at infinity of our curves. To this purpose, we augment the factor base as 
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follows; this addition of a polynomial number of divisors is negligible compared to the 
sub exponential factor base size. Furthermore, the computational expense incurred by 
these additions is also negligible, since the algorithms in [18] have polynomial complexity. 

• Add to T all the places corresponding to the resolution of singularities, regardless 
of their degrees, whose number is bounded by with d = deg-F. The 
algorithm can then be described as if the curves were non-singular. 

• Add to T the infinite places corresponding to non-singularities, regardless of their 
degrees, whose number is bounded by d by Bezout's theorem. Then a divisor is 
.F-smooth if and only if its affine part is. 

The correctness and the running time analysis of our algorithm depend on two heuris- 
tics, that are classical in the context of discrete logarithm computations by collecting 
smooth relations. First of all, the smoothness probabilities of Proposition [2] should also 
apply to the special way in which we create the relations. 

Heuristic 5 Let D of degree u he the affine part of the divisor of a uniformly randomly 
chosen polynomial ip with imposed hounds on the degrees in X and Y . Then the proha- 
hility of D to he T -smooth is asymptotically the same as that of a random effective affine 
divisor of degree v to he fi-smooth. If ip is additionally constrained to have a zero in a 
special place Q, the same holds for d\vip — Q. 

The first part of the heuristic covers the initial relation collection phase as described 
in Section [2m the second part is needed for the special Q-descent of Section [22] for com- 
puting individual logarithms. They ensure that relations are found sufficiently quickly. 
Next, one needs to make sure that the found relations are sufficiently varied to capture 
the complete Jacobian group. 

Heuristic 6 The prohahility that the relations found hy the algorithm span the full re- 
lation lattice is the same as for random relations. 

Here, the full relation lattice designates the lattice L such that the Jacobian group 
of C over Fg is isomorphic to the quotient by L of the free abelian group over the factor 
base. Randomness of relations is to be understood as the uniform distribution on the 
set of relations with coefficients between and the order of the Jacobian group. 

Depending on the choice of it is not immediately clear why Heuristic [6] should hold. 
For instance, assume that J-" contains places of inertia degree larger than 1 with respect 
to the function field extension Fq(X)[y]/(C) over ¥q{X), that is, places corresponding 
to ideals {u,v{X,Y)) with u £ ¥q[X] and degy v > 1. If is limited to being linear 
in y, then no such place may occur in a relation, so that the relation lattice cannot have 
full rank. 

In practice, however, inert places should be very rare. This is justified by the obser- 
vation that these places have a Dirichlet density of 0: A place of degree fi and inertia 
degree / dividing fi corresponds to a closed point on C with X-coordinate in F^^// and 
y-coordinate in Fg^ , of which there are on the order of q^^ ^ . Clearly, places with / > 2 
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are completely negligible. Notice now that the proof of Theorem [T] is entirely combi- 
natorial and relies on the fact that there are essentially places of degree fj,. As 
this is still the case when restricting to non- inert places, the proof of the theorem should 
carry over. This motivates an a priori artificial restriction of the factor base to non-inert 
places. 

To summarise, we rely on the validity of Heuristics [5] and [6] for the factor base of 
smoothness parameter /i containing the following places: 

• all places corresponding to the resolution of singularities; 

• all places at infinity (i.e., places where the function X has a negative valuation). 

• the affine non-inert places of degree bounded by fi, or otherwise said, the places 
corresponding to prime ideals of the form (u, Y — v) with u £ ^q[X] irreducible of 
degree at most /i and v E Fg[^] of degree less than degu. 



4 Relation search 

For the time being, we assume that all groups we are dealing with are cyclic, of known 
order and with a known generator which is part of the factor base. Discrete logarithms 
are taken with respect to this generator. We discuss the complications arising when one 
of these conditions is not satisfied at the end of Section [5l 

We are now ready to formulate precisely the algorithm outlined in Section [2l together 
with its complexity analysis. We start by the relation collection and linear algebra phases 
as sketched in Section 12.11 

Theorem 7 Let (Cj(X, y))jgN be a family of plane curves of genus gi overWg. of degrees 
Hi in Y and di in X. Assume that there are constants k > and p >2 such that 

n-idi . . 

< K (1) 



ni di \og{gi\ogqi) 

' 7 — , oo with Mi = (2) 



9i> {log QiY (3) 




Let b be defined by 



9 

There exists an algorithm that computes a factor base with L ai (1/3, b) elements, together 
with the discrete logarithms of all the factor base elements, in an expected running time 
of 



Lai{l/3,c + o{l))withc .. 

V 9 



under Heuristics and 0. 
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Proof. For the sake of notational clarity, we drop all indices i in the following. 

Let ly, 5 > he constants to be optimised later. Consider polynomials (p{X, Y) G 

Fg[X, Y], seen as functions on C, of degrees bounded by 
in X. Then ^ implies that 



in Y and 



r Kg/n 



Til t\iQ I TIj 

The affine part of the divisor of ip has a degree bounded by 

degx Resy C) < degx degy C + degy ip degx C 

< [dng^/^M^'^ + vndg-^/^M^''^^ ■ (1 + o(l)) 
<k{6 + u + o(1))52/37w1/3 by 
= loggL{2/3,K{5 + u + o{l))). 

Let 6 > be a constant to be optimised later, and choose a smoothness bound of 
[log^(L(l/3, b))] . Then by ([3]) and CorollarylU the factor base size is in L{l/3, 6 + o(l)), 
and by Corollary SI and Heuristic El the smoothness probability of the divisor of (p is at 
least 

/ , + 6) 

The number of different (p that satisfy the chosen degree bounds is at least 

q^^^a'/'^'^' = L{l/3,Kiy5). 

So the expected number of relations obtained from all these ip is bounded below by 
L (l/3, K (i^(5 — + o(l)). For the linear algebra to succeed, according to HeuristicEl 
we need the number of relations to exceed the factor base size. To minimise the relation 
collection effort, we choose and 6 such that equality holds, that is, 

3b " 

On the other hand, we wish to choose the parameters such that the time taken by the 
(sparse) linear algebra phase, which is L(l/3, 26 + o(l)), is comparable with the time 
taken by the relation collection: 

Ku5 = 2b. (6) 
Substituting Ki^d from ([6]) into ([5]), we obtain 

1^ + 6 = — . 

So the sum and product of u and 6 are known, and u and 6 are the roots of the 
quadratic polynomial 

K K 
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For the roots to exist as real numbers, the discriminant of the quadratic polynomial 
must be non-negative, which is equivalent to 




Since we want to minimise the effort, we choose b minimal and reach equality above. 
Then 




The total running time becomes L(l/3, c + o(l)) with 




□ 



5 Computing discrete logarithms 

We now turn to the precise description and analysis of the special-Q descent strategy 
outlined in Section [2.21 

Theorem 8 Under the assumptions of Theorem^ once the relation collection and lin- 
ear algebra steps have been completed, the logarithm of any divisor in the Jacobian group 
of Ci over ¥q- can be computed in time 

■ I 8k 

L 9i (1/3, 6 + e) with b = \ — and any e > 0. 

1i V 9 

Notice that this complexity is well below that of Theorem [7] for the relation collection 
and linear algebra phases. 

Proof. Without loss of generality, one may assume that the element whose logarithm is 
sought is a place of degree bounded by g and of inertia degree 1, cf. the discussion at 
the end of Section [3l 

More precisely, let Q = div{u{X),Y — v{X)) be a place with degv < degu < 
logg L{l/3 + T, c) for some c > and < r < 2/3. The place we start with has t = | 
and c = 1. 

We consider the polynomial functions on the curve having a zero at Q, and in par- 
ticular the lattice of polynomials ip of degree in Y bounded by k with 



where cr > is a constant to be determined later. These (p form an Fq[X]-lattice 
generated by {vo{X),Y — vi{X),Y'^ - V2{X), . . . jV'^ — Vk{X)) with vq = u and Vi = 
mod u for i > 1. 
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Let -L(l/3,e + o(l)) be the effort we are willing to expend for one smoothing step, 
where e > is a parameter to be optimised later. Then we need a sieving space of the 
same size, and are thus looking for L(l/3, e + o(l)) distinct {k + l)-tuples of polynomials 
(qo(^), ai(-'l^), . . . ,ak{X)) and corresponding functions 

ip = -ao{X)vo{x) + Y,ai(.X)iy' -v^{X)) = ^Q,(X)y^ -Y,ai{X)vi{X). 

i=l i=l i=0 

At the same time, we wish to minimise the degree of if in X. Recall that the degree of 
Vi is bounded by D := logq-L(l/3 + r, c). Then for any integer z, linear algebra on the 
lattice yields q^^ different tuples such that the degrees of the Oi and that of OiVi are 
at most ^ + z. Choose z so as to obtain a sieving space of size L(l/3, e + o(l)), that is, 
solve g'^^ = L(l/3, e + o(l)), or 

z = -loggL{2/3-T/2,e/a + o{l)). 

Now the degree of (/? in X is bounded from above by y + z with ^ = ^ logg L{2/3 + 
r/2,c/cr). Whenever r is bounded away from zero, the value of z is thus negligible 
compared to that of D/k. However, to encompass in a unified treatment the case where 
r approaches zero, we crudely bound —t/2 by +t/2 in the expression for z to obtain 

deg^ V < -logg L{2/3 + t/2, (c + e)/a + o(l)). 

The degree of the affine part of the divisor of ip is again, as in the proof of Theorem [TJ 
bounded by 

degx (f degy C + degy cp degx C <n degx f + kd, 

< logq L(2/3 + t/2, (c + e)/a + aK + o(l)) 

since 

n(i O Kg 

- ^ (g/.M)V3-./2 ^ ^ (g/A^)i/3-./2 = ^(2/3 + t/2, an). 

So out of the -L(l/3,e + o(l)) possible we expect by Corollary H] and Heuristic [5] 
that one is log^ L(l/3 + t/2, c')-smooth for 

c' = ((c + e)/a + an) . 
6e 



To minimise this quantity, we let a = y^(c + e) /k, so that 

, 2^/J^ 



3e 



V^T^. (7) 



Let us summarise the procedure: Starting with Q of degree g = log^ L{l/3 + 2/3, 1), 
we use the technique above (with tq = 2/3, cq = 1) to smooth it into places of degree at 
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most loggL(l/3 + ri,ci) with ri = 1/3 and ci = 2y^K;(co + e)/3e. Each of these is then 
smoothed again into places of degree at most logg-L(l/3 + T2,C2), and so on, following 
the formulae 

1 I — 

3 • 2*-i ' 3e ^ 

After i steps, we get places of degree at most 

logg V \ \ + 3. = logg V \^.CiM^ 



We need to bound the q. Studying the function /(x) = a-y/a^ + yields that the 
sequence (cj) converges to a finite limit Cqo, obtained by solving c' = c in ([7]), so that 

Coo = x/2 + Vx^ + , where x = 

Fix an arbitrary constant > 0. After a certain number of steps, depending only on e, 

K and ^, we have Cj < Cqo • (1 + 0- Furthermore, after ©(loglog^) steps, we can also 

1 

bound the expression M. 3-2'-i by (1 + ^). 

It follows that for any positive constant ^, by building a special-Q descent tree of 
depth 0(loglog5f), we can smooth elements down to a degree 

logg V Q,Coo(l +0^ • 

Each node in the tree has arity bounded by g, so the number of nodes in the tree is 
in (^<-'('°g'°S9) = Lgs (1/3, 0(1)) and has no influence on the overall complexity. We finally 
compute the effort needed to reach Coo = h. We have 96^ = 8k, and we write 9e^ = Ek, 
with E to be determined. The equation h = Cqo simplifies as: 

1/3 



The latter holds for E = 8, which gives e = b. We therefore conclude that the special-Q 
descent finishes within time L^a (1/3, 6 + e) for any fixed e > 0. 

So far, we have remained silent about the exact nature of the o(l) terms. As long 
as a fixed number of them is involved, this does not pose any problem. But the number 
of smoothing steps and thus ultimately the number of applications of Theorem [T] is not 
constant. So at first sight, it is not clear whether the sum of all the o(l) terms is still 
in 0(1). However, since the depth of the tree is in 0(loglog(7), and since according to 
Proposition [2] the o(l) is actually a constant times ^°fog^giogq)^ ; the overall function still 
tends to and is a o(l). □ 
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The non-cyclic case. In general, the Jacobian group need not be cyclic, but may have 
up to 2g invariant factors. In this case, we call "discrete logarithm" of an element its 
coefficient vector with respect to a basis of the invariant factor decomposition. Otherwise 
said, we need to compute a tuple of scalars instead of a single one. 

We assume that the group order is still known and start by considering the compara- 
tively easy case that we are given two elements P and Q, where Q is a multiple of P, and 
we wish to compute the unknown multiplier, the discrete logarithm of Q to the base P. 
Write down the relation matrix exactly as in Theorem [TJ and perform two descents as in 
Theorem [8] for decomposing P and Q as sums of factor base elements. The right hand 
sides of the two decompositions are appended to the relation matrix. An element of the 
kernel of this matrix modulo the group order gives the sought relationship between P 
and Q. The discrete logarithm can be deduced from it if the coefficient corresponding 
to Q is coprime to the group order; using techniques as in |13j . this can be guaranteed 
to happen with probability approaching 1. The final complexity is then the same as in 
Theorem [71 

This approach generalises immediately to the non-cyclic case if an explicit basis {Pi} 
of the invariant factors is known together with the exact orders of the basis elements. 
Then the discrete logarithm of an element Q as a tuple with respect to the Pi may be 
obtained as follows. After decomposing the Pi and Q over the factor base as in Theo- 
rem [8l the matrix may be augmented by the right hand sides of all these decompositions. 
An element of the kernel yields the sought expression of Q in terms of the Pi as long 
as the coefficient corresponding to Q is coprime with the group order. Again, the total 
complexity is as in Theorem [71 

We finally show how to obtain the group structure if only the group order is known. 
The classical approach is to compute a Smith Normal Form (SNF) of the relation matrix 
obtained in Theorem [71 but this is more costly than a sparse kernel computation. Using 
the knowledge of the group order and the fact that for divisor class groups of curves 
there is a known set of generators of polynomial size, Hefi shows in |19^ Lemma 50] 
how to tweak the SNF computation to keep the same low complexity as before. In 
our context, after having computed the relation matrix as in Theorem [71 and a set 
of generators of polynomial cardinality r, we apply r times Theorem [HI to obtain a 
decomposition of each generator in terms of the factor base elements. The right hand 
sides of these decompositions are appended to the matrix. Then some r kernel elements 
are computed by sparse linear algebra modulo the group order, yielding relations between 
the generators. Using the randomisation techniques of |13j . one may ensure that these 
relations are uniformly distributed over all kernel elements. It is then easy to compute a 
Smith Normal Form (SNF) of this matrix of polynomial size, thus giving an explicit basis 
for the group structure. The overall complexity is then again the same as for Theorem [71 

Group order. If the group order is unknown, it may be obtained alongside the in- 
variant factors from the SNF of the relation matrix of Theorem [71 but computing the 
SNF, while still being of complexity 1/(1/3), would needlessly increase the constant of 
the subexponential function. 
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Instead, one may use the point counting algorithm due to Lauder and Wan [2D], 
which has a complexity that is polynomial in p, the degree of the finite field extension 
and the degree of the curve equation. Notice that by ([1]), the latter is in 0{g). If p is 
very small compared to g, for instance, in the extreme case that p is fixed, then Lauder 
and Wan's algorithm has an overall polynomial time complexity. But even in the most 
general setting in which Theorem [7] applies, we have q = L(l/3,o(l)) by Corollary [U so 
that computing the group order takes only time L(l/3,o(l)). 

In practice, SNF computations may still be faster than Lauder and Wan's algorithm 
in corner cases. It may then be worthwhile to switch to the algorithm of [5] for Cab curves, 
which has a quasi-linear complexity in p; or to that of [22j for superelliptic curves, which 
has a square-root complexity in p. 



6 Limit cases and special classes of curves 

6.1 n close to (g/MY^^ 

In this and the following section, we examine what happens when the hypothesis ([2]) of 
Theorem [7] is not satisfied. First, we consider the case < liminf , =: A < c« 

(the symmetric condition for di is handled analogously). To simplify the presentation, 
we assume that we have switched to a subsequence that approaches the limit, and drop 
again all indices i. 

Following the proof of Theorem [TJ we see that the degree in Y of ip poses problem: 
It tends to [z^A] , which is a constant, so that (jH) is not valid any more. Define z^* = 
< u + J, then ([3]) holds with v* in the place of ly. 

We now have to optimise the constant in the subexponential function giving the total 
complexity, 25, subject to ([5]) and Q, in which all occurrences of u have been replaced by 
I/* . As with 1/ we loose one degree of freedom, the solution to the optimisation problem 
becomes worse, and we will end up with a higher total complexity. In fact, the two 
equations and in two variables b and 6 admit a unique solution b, 5 > 0, which is 
easily computed. The analysis of the individual logarithm computation step is modified 
along the same lines, with an increased effort value. 

It is interesting to study what happens when A ^ 0. This entails z/* ~ ^ — > oo (here, 
~ denotes equivalence in the sense that the quotient of the left and the right hand side 
tends to 1). The solution to equations ([5]) and ([6]) is uniquely determined by z^* and 
yields in particular 

V3 ^/X 

Similarly, in the special-Q descent step, we have 

degy ^ = k = oj^^j^^, = aX{9/MY'\ 

Assuming the worst case scenario, which is r very close to (corresponding to the end 
of the descent), we must ensure that crA > 1. We thus have to replace the optimal a 
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by cr* ~ 1^. This changes the equation giving d as a function of c. For the hmit of the 
sequence Cj to match h, we thus have to adapt the effort value e. We obtain: 

1 

Given that h and e tend to infinity when A ^ 0, we expect that a complexity of 
L(l/3) will no longer be achievable using the presented algorithm when n grows more 
slowly than {g/ this is confirmed by the following analysis. 

6.2 n below {g/Mf''^ 

When the lower bound for rij has the form \[g/M)'^ with a < 1/3, then we have 
d = loggL(l — a,0(l)) at best. This implies that in the algorithm depicted in this 
article, both in the relation collection and individual logarithm steps, the best possible 
upper bound for the norm of the functions if is degx^i^) < logqL(l — 0,0(1)). We 
then obtain an algorithm of complexity 

L (^^, c) for some c > 0. 

Following exactly the lines of the proofs of Theorems [7| and [HI it is also possible to make 
the constant c in the expression above completely explicit. 

6.3 Curves with a low weighted degree 

Theorem 9 Assume that the family of curves of Theorem^ satisfies the following ad- 
ditional constraint: k = 2, and each monomial X^Y^ occurring in the equation of C has 
nj + dk < nd. For instance, the curves may be Cnd curves. 

Then the relation collection and the linear algebra phases are performed in time 

V(l/3,c + o(l)) withc= ^/f . 

Remark. The case of plane non-singular curves of total degree ~ -^/g, which has been 
studied by Diem in [8], is included in the theorem. In this case, one has additionally 
n ~ d ~ and a = 1/2. 

Proof. We use the notation of the proof of Theorem[71 Instead of bounding the degrees of 
X and Y in ip separately ("taking from a rectangle"), we take ip of bounded weighted 
degree ("from a triangle"). The monomials X^Y^ occurring in ip are required to satisfy 
nj + dk < Xg'^/^Ai^^^ for some parameter A replacing u and 6 and to be optimised later. 
Then 

deg^Resy(<^,C) < Xg^/^M^/^ = log^ 1,^2/3, X), 
which yields a smoothness probability of 

i (1/3,-5^+0(1)). 
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The biggest power X in ip is ^9 ^ M ^ ^ biggest power of Y is ^9 ^ M ^ ^ The 
number of allowed monomials is given by the product of these two quantities divided by 
2, so that the search space has size about 

,^^4^ > ,AV/='A4^/3/(2.) ^ L(l/3, AV4). 

So the expected number of relations becomes L (1/3, A(36A — 4)/126), which should be 
the same as the factor base size. Thus, b = A(35A — 4)/(126). Equating the time spent 
in the relation collection and in the linear algebra phase, we get A^/4 = 2b. These two 
equations are solved by 



9 

and yield a total complexity of L(l/3, c) with 



2b 




□ 

To conclude, we note that the runtime for computing individual logarithms by 
special-Q descent derived in Section [5] is still dominated by the improved runtime for re- 
lation collection and linear algebra in this special case. Therefore, while an analogously 
improved approach to individual logarithms using functions "from a triangle" would 
work, it would not have any effect on the total complexity, and we omit its analysis. 
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